Is 1Password vulnerable to screen capture?

I recently inadvertently (stupidly) opened a phishing link (a fake PayPal message) and then opened 1 Password and retrieved a password from it. Is it possible that the phishing page has now captured my 1Password password? I reset my master password the next morning, but that would have given ample time for someone to export all my logins. Should I be changing all my login passwords in every account stored on 1Password, or am I being paranoid? (1Password for Windows v., Chrome extension, Windows 10)


  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    You have nothing1 to worry about (other than your PayPal password if you manually entered it into the phishing page.) One of the ways that 1Password works is that the web page you are filling on never sees any secrets from 1Password other than the ones that get filled for that page.

    When you enter your 1Password Master Password in 1Password for Windows invoked from Chrome, you are not actually entering your Master Password into Chrome. You are entering it into a special window that is run by 1Password Agent. This is part of our security design. We know that web pages are hostile environments, and so we have designed 1Password to minimize its exposure to that environment. So even though the 1Password popup may have looked like it was in Chrome (and you probably invoked by Ctrl-\ or clicking on the 1Password icon in Chrome), that little window was not, in fact, part of Chrome and certainly not entangled with the web page you visited.

    Sorry to go on about this at such length, but you have been protected by part of our security design that isn't usually visible to users. You don't notice that the 1Password popup is actually run from 1Password agent instead of being run out of the browser extension. We want it to be easy for people to use 1Password in their browsers, so we conceal that separation. But that separation is an important part of our security architecture, and it isn't one that I get to talk about too often.

    You probably noticed that 1Password refused to fill that bogus page with your PayPal username and password. 1Password won't stop you from copying and pasting a password into the wrong page, but it does a very good job of knowing when to do the filling itself. But even if 1Password were somehow tricked into thinking that that was the genuine PayPal page (unlikely as that is), it would be your PayPal password that would have been put at risk.

    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

    1. I don't like saying things like "never" or "impossible". And without knowing the complete details I can't give you absolute assurance, but I am giving you great deal of assurance. ↩︎

  • brentybrenty

    Team Member

    @phlavats: Hmm. I think if there's doubt in your mind, it may be worth considering taking an extreme approach, if only for peace of mind. But I have some thoughts that may (or may not) apply to your situation which can hopefully help.

    First, unless you actually downloaded and ran a malicious app on your machine, there isn't much reason to believe that anyone would have the kind of access needed to capture information other than what you entered on the phishing site itself.

    But also, while it may be possible to grant a website access to the camera, modern browsers (especially Chrome) will ask for permission first. And this doesn't give them access to the rest of the system. Access to local files outside the browser has been restricted in browsers for some time, and would require action on your part to loosen that restriction.

    So based on your comments, it sounds like you may just need to change the password for whatever login credentials you entered erroneously on the phishing site. 1Password won't even fill credentials for you on a website that doesn't match the URL saved in the login.

    And while PayPal in particular is a scary target since it's probably tied to your bank account and credit cards, as far as I can tell it isn't possible for someone to actually get that information out of your account (it will only show portions of your payment details). So the real risk would be someone actually using your PayPal account to purchase or transfer. But if you changed the password already and there hasn't been fraudulent activity there, you're probably good to go.

    It's also important to note that 1Password doesn't store your data in the browser; it only gets things like login credentials from the main app on demand, so even if your browser were compromised, it would take some time for the attacker to collect all of your data as you access it little by little.

    That said, I don't really know any of the specifics here, so you may have a better perspective based on your firsthand experience. Let me know what you think!

This discussion has been closed.